Russia hacking: How a botched ‘cleanup’ operation helped to unmask a global cyberweb

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

The dramatic accusations against Russia of waging systematic cyberwarfare internationally, and on a massive scale, came following a complex and extensive investigation which began after the novichok attack in Salisbury.

Repeated attempts by the Kremlin to cover up connections to the attempted assassination of Sergei Skripal as well as the shooting down of a Malaysian airliner over Ukraine, and a chemical attack in Syria, opened up fresh avenues of inquiry and gave renewed impetus to examining previous cases of hacking for which Moscow was thought to be responsible.

And it was the spectacular failure of one such “cleanup” mission, in The Hague, which presented crucial evidence in tracking down the cyberweb created on a global scale by the Kremlin, and the modus operandi of its weapon of choice in hybrid warfare, the military intelligence service the GRU.

While dozens of Russian embassy officials working under diplomatic credentials were expelled by allied countries after the British government provided information on Russian culpability in the novichok attack, a number of suspected intelligence agents were allowed to stay in post, to monitor their links to state security organisations including the GRU. And this, too, say officials proved to be of great value in the unearthing of clandestine plots.

Overall, the investigation involved liaison between Britain, the US, Canada, Ukraine, the Netherlands, Switzerland, France and Germany as well as exchanges of information with a number of other countries including Malaysia and Brazil. Pulling together the intelligence exposed links between plots targeting various institutions and countries which, at times, involved the same personnel, it is claimed.

As an example of this, security officials point to seven Russians charged on Thursday by the US with hacking anti-doping agencies. Three of them were also named by the special counsel investigating Moscow’s interference in the US election that took Donald Trump to the White House. The men, identified as members of the GRU, were indicted by Robert Mueller for hacking Democratic Party emails, including those of Hillary Clinton.

While decrying British charges of its involvement in the Salisbury poisoning, the Kremlin was making increasingly frantic attempts to disrupt the investigation into the attack, say British and other western officials. The Sandworm cybercrime department of the GRU carried out spear-phishing attacks on the Foreign Office in London in March and the Porton Down chemical weapons facility in April. The same month four intelligence officers travelled to The Hague to carry out a cyberattack on the headquarters of the international chemical watchdog analysing the chemical agent used in Salisbury as well as that used in an attack in Douma, Syria, for which Russia’s ally, the Assad regime, was blamed.

The remote attack on the Foreign Office and Porton Down were unsuccessful and the four GRU officers in the Netherlands were detained and then expelled by the Dutch security services after receiving information from London. In a vital breakthrough, search of the men’s belongings found an antenna that had been pointed at the building of the Organisation for the Prohibition of Chemical Weapons (OPCW) as well as a taxi receipt kept, it is believed, for claiming expenses from a GRU office in Moscow to the airport.

The GRU officers, travelling under the names of Aleksei Sergeyvich Morenets, Evgenii Mikhaylovich Serebriakov, Oleg Mikhaylovich Sotnikov and Alexey Valeryevich Minin, are said to be members of Unit 26165, which has also been known as APT 28. They were found to be carrying train tickets to Basel, and their laptops revealed online searches for the Spiez Lab, the Swiss institute for nuclear, biological and chemical protection, the designated facility for the OPCW. At least two of the men, it is claimed, had visited Switzerland in the past.

Checks on computers, modems, a transformer and mobile phones found on the GRU officers showed that some of the party had tried to hack the investigation in Malaysia into the shooting down of the MH17 flight, killing 298 people on board, which had been blamed on Ukrainian separatists and their Russian mentors. According to British and Dutch officials one of those detained in The Hague, using the name Yevgeniy Serebriakov, had been active in Malaysia targeting the headquarters of the Royal Malaysian Police and the office of the attorney general. Records showed he had flown to the capital, Kuala Lumpur, in December 2017, and booked into the Grand Millennium Hotel.

The four GRU officers in The Hague had connected to the wifi at a hotel, the Alpha-Palmiers, where a conference of Wada (the World Anti-Doping Agency) was taking place and delegates from the International Olympics Committee and the Canadian Centre for Ethics in sport were affected by the cyberattack.

The information gleamed from the seized equipment was passed to, among others, the Royal Canadian Mounted Police, which have been carrying out its own investigation into a malware assault on the Canadian Centre for Ethics in Sport in 2016. The Foreign Ministry in Ottawa said on Thursday: “The government of Canada assesses with high confidence that the GRU was responsible for this compromise. Today, Canada joins its allies in identifying and exposing a series of malicious cyber-operations by the Russian military.”

The laptops seized in The Hague also showed they had been used in Brazil. The website of the Court of Arbitration in Sports (CAS) was hacked during the Rio de Janeiro Olympics in 2016. The court had been dealing with cases of Russian athletes who were alleged to be involved in state sponsored doping.

The US Justice Department’s indictment against the seven Russians alleges they registered a fake domain and carried out online reconnaissance efforts targeting CAS accounts. The court said on Thursday that “it was good to know” the Russians who carried out the 2016 attack have been identified.

A senior British government official said: “Russian intelligence services are constantly conducting operations to try to penetrate UK government networks. It is a constant and pervasive threat. Whenever international institutions investigate activities attributed to the Russian state, such as the work of OPCW or MH17, it seems the GRU pops up. There is a correlation between international investigation of Russian activity and the GRU.”

The US defence secretary, James Mattis, said the US “is ready today to provide cyber-support to our allies, I’ve seen enough of the evidence to say that the Dutch and the British are 100 per cent accurate in who they have attributed this to.

“Basically, the Russians got caught with their equipment, with people who were doing it and they have to pay the piper, they are going to have to be held to account. How we respond is a political decision by the nations involved.”

British security sources maintained that, despite the setbacks, the Kremlin will continue similar operations in the future in Britain and elsewhere. “It’s hardwired into their DNA, they have been doing this for a long time and will continue doing so,” said one official. “And they will simply deny everything, I am surprised they haven’t already come up with the tourist sites these men were visiting in The Hague.”